Search This Blog

Showing posts with label APT actors. Show all posts

North Korean Lazarus Group Attacks South African Freight Via New Weapon

 

The North Korean-backed Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics company. ESET researchers first discovered the malware in June 2020, but further evidence suggests Lazarus has been using it in previous attacks going back to at least December 2020. 

The new backdoor malware, dubbed Vyveva is one of the latest tools discovered in the Lazarus armory. Vyveva has the capability of exfiltrating files, gathering data from an exploited machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. It also uses watchdogs to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new sessions or drive events.

While ESET researchers have not gained much success in identifying the initial compromise vector but they have discovered three main components comprising Vyveva – its installer, loader and backdoor. Vyveva also consists a ‘timestomping’ option which allows its operators to manipulate any file’s data using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files. 

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-like execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” security researcher Filip Jurcacko stated.

According to the US government, Lazarus group was formed in 2007 and since then, as per the researchers, the group has been responsible for the $80 million Bangladeshi bank heist and the HaoBao Bitcoin-stealing campaign. The Lazarus Group’s activities were widely reported only after it was blamed for the 2014 cyber-attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on the countries including the US and Britain.

FBI & CISA Warns of Active Attacks on Fortinet FortiOS Servers

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of active exploits targeting three susceptibilities in Fortinet FortiOS. Fortinet FortiOS is an operating system designed to improve enterprise security and it enables secure networks, endpoints, and clouds to keep the user safe from vulnerabilities and threats. 

According to the advisory, these three unpatched vulnerabilities in Fortinet FortiOS platforms belong to technology services, government agencies, and other private sector bodies. The advanced persistent threat (APT) actors are targeting the vulnerabilities CVE-2018-13379, a path traversal vulnerability (CVSS base score of 9.8); CVE-2020-12812, an improper authentication flaw (CVSS base score of 9.8) and CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5) which were initially revealed in 2019.

The attackers have specifically exploited the vulnerability CVE-2018-13379 since its discovery in 2018. In 2019, nation-state hackers exploited the flaw and targeted the U.S. National Security Agency. Last year in October, a joint CISA/FBI advisory regarding federal, state, and local U.S. government networks being targeted mentioned the flaw.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use the other CVEs or common exploiting techniques – such as spear-phishing – to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the advisory read.

Carl Windsor, Fortinet field chief technology officer responded to the joint advisory by stating that Fortinet has already patched the flaws and is educating the customers regarding the vulnerabilities.

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020,” he further stated.